Blog Viewer

Tech Tip - CA Privileged Access Manager: Cipher Suites supported by the Active Directory Target Application

By Ralf Prigl posted 04-12-2018 06:22 PM



What Cipher Suites are supported by the Active Directory Target Application in PAM 3.1.1?


The AD target application only connects to the secure 636 port of AD domain controllers. A good way to see which Cipher Suites a secure client supports is to run a network trace somewhere along the network route, or on the AD controller itself, and inspect the "Client Hello" packet. An example is given below for a PAM 3.1.1 AD target application connecting to a domain controller using TLS 1.2:


Transmission Control Protocol, Src Port: 51577, Dst Port: 636, Seq: 1, Ack: 1, Len: 252

Secure Sockets Layer

    TLSv1.2 Record Layer: Handshake Protocol: Client Hello

        Content Type: Handshake (22)

        Version: TLS 1.2 (0x0303)

        Length: 247

        Handshake Protocol: Client Hello

            Handshake Type: Client Hello (1)

            Length: 243

            Version: TLS 1.2 (0x0303)

            Random: 5ab9029fceced8d64a24f35f13bfb9e02bdd8c57bdcb7318...

            Session ID Length: 0

            Cipher Suites Length: 100

            Cipher Suites (50 suites)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)

                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)

                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)

                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)

                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)

                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)

                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)

                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)

                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)

                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)

                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)

                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)

                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)

                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)

                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)

                Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)

                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)

                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)

                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

            Compression Methods Length: 1

            Compression Methods (1 method)

            Extensions Length: 102

            Extension: supported_groups (len=22)

            Extension: ec_point_formats (len=2)

            Extension: signature_algorithms (len=28)

            Extension: server_name (len=34)